copacetic
copacetic copied to clipboard
Published
20 hours ago •
project-copacetic
project-copacetic
ci: Add windows amd64 to goreleaser config
Adds windows+amd64 to the release configuration so copa can run on windows OS (but still target a linux container).
Tested:
⇉ ⇉ ⇉ goreleaser release --snapshot --clean --config .goreleaser.yml • starting release...
... other stuff ...
• building binaries
• building binary=dist/copacetic_darwin_amd64_v1/copa
• building binary=dist/copacetic_linux_amd64_v1/copa
• building binary=dist/copacetic_windows_amd64_v1/copa.exe
• building binary=dist/copacetic_darwin_arm64/copa
• building binary=dist/copacetic_linux_arm64/copa
Runs locally using snapshot build:
PS C:\Users\ben\Desktop> .\copa.exe -h
Project Copacetic: container patching tool
Usage:
copa [flags]
copa [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
patch Patch container images with upgrade packages specified by a vulnerability report
Flags:
--debug enable debug level logging
-h, --help help for copa
-v, --version version for copa
Use "copa [command] --help" for more information about a command.
PS C:\Users\ben\Desktop> .\copa.exe --version
copa version 0.0.0-SNAPSHOT-67c7e29
PS C:\Users\ben\Downloads>
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Comparison is base (
2b9f177) 33.02% compared to head (3020af3) 33.02%.
Additional details and impacted files
@@ Coverage Diff @@
## main #388 +/- ##
=======================================
Coverage 33.02% 33.02%
=======================================
Files 17 17
Lines 1626 1626
=======================================
Hits 537 537
Misses 1060 1060
Partials 29 29
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
@benbp curious, did you test patching under windows? i am guessing you are targeting linux containers, as copa won't work for windows containers
@benbp curious, did you test patching under windows? i am guessing you are targeting linux containers, as copa won't work for windows containers
Correct, I'm still targeting linux containers. I haven't tested patching, I will do so and report back.
@salaxander I had it working last week, but just for a scenario where no patches had to be made. I was running into some trouble actually patching an image, but believe it was related to the yum cache on my test image, not copa. Need to come back around to it, I don't actually have a good windows machine setup myself for testing this so dependent on others for it.
C:\Users\ben\copa>trivy image --vuln-type os --ignore-unfixed -f json -o trivy.json foobar.azurecr.io/foobar/foobar:foobar
2023-10-24T14:59:36.894-0700 INFO Vulnerability scanning is enabled
2023-10-24T14:59:36.894-0700 INFO Secret scanning is enabled
2023-10-24T14:59:36.894-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-24T14:59:36.894-0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-10-24T14:59:36.905-0700 INFO Detected OS: cbl-mariner
2023-10-24T14:59:36.906-0700 INFO Detecting CBL-Mariner vulnerabilities...
C:\Users\ben\copa>copa patch -i foobar.azurecr.io/foobar/foobar:foobar -r trivy.json -t patched --addr buildx://demo
time="2023-10-24T14:59:42-07:00" level=warning msg="No update packages were specified to apply"
[+] Building 8.4s (1/2)
[+] Building 8.8s (2/2) FINISHED
=> docker-image://foobar.azurecr.io/foobar/foobar:foobar
=> => resolve foobar.azurecr.io/foobar/foobar:foobar
=> => sha256:80b4721cd0c0473359ec6a37bff8ec87b8aff638c246e49b2daa7ec138bbfe48 6.60MB / 6.60MB
=> => sha256:6b8d27d1c29e3af414dc1784d946d5ec223026832538093cc6db304d6bdc23c6 93B / 93B
=> => sha256:f6b24043e6a2c753eb6687942eeab30ef11ae65086d6fbd910bb721ac31dc763 72.75MB / 72.75MB
=> => sha256:cfe1aeec28bdca4bea939c1e14fced498122a2b2d2559c89ea6db2d87f89a590 4.46kB / 4.46kB
=> exporting to docker image format
=> => exporting layers
=> => exporting manifest sha256:b21f9f861592acb8e7a599b3982a841164b68a72ede1ec875a4160245528aa71
=> => exporting config sha256:2b742557e4fc9090bc979dd0987b562f49204bed6396dedb891603d11a6d6ce9
=> => sending tarball
Ideally, we should have a test for this in the CI if we want to officially support this. Darwin binaries are missing this too (#405)
@salaxander @sozercan success (Docker Desktop for windows v4.25.0, Windows 11, WSL2 engine enabled)
PS C:\Users\ben\Desktop\copa> ./copa patch -i registry.hub.docker.com/library/ubuntu:focal-20230308 -r .\ubuntu-old.json -t copapatch --addr buildx://copa
[+] Building 9.7s (9/9) FINISHED
=> CACHED docker-image://docker.io/library/ubuntu:20.04 0.4s
=> => resolve docker.io/library/ubuntu:20.04 0.3s
=> docker-image://registry.hub.docker.com/library/ubuntu:focal-20230308 0.6s
=> => resolve registry.hub.docker.com/library/ubuntu:focal-20230308 0.6s
=> apt update 5.6s
=> apt install busybox-static 3.1s
=> CACHED copy /bin/busybox /bin/busybox 0.0s
=> CACHED mkdir /copa-out 0.0s
=> CACHED /bin/busybox sh -c if [ -f /var/lib/dpkg/status ]; then cp /var/lib/dpkg/status /copa-out ; fi && if [ -d /var/lib/dpkg/status.d ]; then ls -1 /var/lib/dpkg/status.d > copa-outstatus.d ; fi 0.0s
=> CACHED diff (copy /bin/busybox /bin/busybox) -> (/bin/busybox sh -c if [ -f /var/lib/dpkg/status ]; then cp /var/lib/dpkg/status /copa-out ; fi && if [ -d /var/lib/dpkg/status.d ]; then ls -1 /var/lib/dpkg/status.d > copa-ou 0.0s
=> exporting to client directory 0.1s
=> => copying files 87.68kB 0.0s
[+] Building 15.2s (6/6) FINISHED
=> CACHED docker-image://registry.hub.docker.com/library/ubuntu:focal-20230308 0.5s
=> => resolve registry.hub.docker.com/library/ubuntu:focal-20230308 0.5s
=> apt update 6.2s
=> sh -c apt install --no-install-recommends --allow-change-held-packages -y libncursesw6 libtinfo6 ncurses-base ncurses-bin perl-base libncurses6 && apt clean -y 8.0s
=> sh -c grep "^Package:\|^Version:" "/var/lib/dpkg/status" >> "results.manifest" 0.2s
=> diff (sh -c apt install --no-install-recommends --allow-change-held-packages -y libncursesw6 libtinfo6 ncurses-base ncurses-bin perl-base libncurses6 && apt clean -y) -> (sh -c grep "^Package:\|^Version:" "/var/lib/dpkg/stat 0.1s
=> => diffing 0.1s
=> exporting to client directory 0.1s
=> => copying files 4.12kB 0.0s
time="2023-11-07T13:23:24-05:00" level=info msg="Validated package libncursesw6 version 6.2-0ubuntu2.1 meets requested version 6.2-0ubuntu2.1"
time="2023-11-07T13:23:24-05:00" level=info msg="Validated package libtinfo6 version 6.2-0ubuntu2.1 meets requested version 6.2-0ubuntu2.1"
time="2023-11-07T13:23:24-05:00" level=info msg="Validated package ncurses-base version 6.2-0ubuntu2.1 meets requested version 6.2-0ubuntu2.1"
time="2023-11-07T13:23:24-05:00" level=info msg="Validated package ncurses-bin version 6.2-0ubuntu2.1 meets requested version 6.2-0ubuntu2.1"
time="2023-11-07T13:23:24-05:00" level=info msg="Validated package perl-base version 5.30.0-9ubuntu0.4 meets requested version 5.30.0-9ubuntu0.4"
time="2023-11-07T13:23:24-05:00" level=info msg="Validated package libncurses6 version 6.2-0ubuntu2.1 meets requested version 6.2-0ubuntu2.1"
[+] Building 15.4s (6/6) FINISHED
=> CACHED docker-image://registry.hub.docker.com/library/ubuntu:focal-20230308 0.4s
=> => resolve registry.hub.docker.com/library/ubuntu:focal-20230308 0.4s
=> apt update 6.1s
=> sh -c apt install --no-install-recommends --allow-change-held-packages -y libncursesw6 libtinfo6 ncurses-base ncurses-bin perl-base libncurses6 && apt clean -y 6.4s
=> diff (apt update) -> (sh -c apt install --no-install-recommends --allow-change-held-packages -y libncursesw6 libtinfo6 ncurses-base ncurses-bin perl-base libncurses6 && apt clean -y) 0.0s
=> merge (docker-image://registry.hub.docker.com/library/ubuntu:focal-20230308, diff (apt update) -> (sh -c apt install --no-install-recommends --allow-change-held-packages -y libncursesw6 libtinfo6 ncurses-base ncurses-bin per 0.0s
=> exporting to docker image format 2.3s
=> => exporting layers 0.6s
=> => exporting manifest sha256:2c0d03802169ec8cdc0e5e6e602027a768749dda4080513e9ddb2f651fb01ddf 0.0s
=> => exporting config sha256:f617f6bac6e94bec6b871b3a1c124f38321f4f2bf14e0fc8b4f03aaadf08f5c4 0.0s
=> => sending tarball 1.7s
time="2023-11-07T13:23:40-05:00" level=info msg="Loaded image: registry.hub.docker.com/library/ubuntu:copapatch"
PS C:\Users\ben\Desktop\copa> docker image ls | sls 'focal|patch'
ubuntu focal-20230308 1c5c8d0b973a 8 months ago 72.8MB
registry.hub.docker.com/library/ubuntu copapatch f617f6bac6e9 8 months ago 81.6MB